TLS 1.3 in nginx


#1

Dear Everyone,

I’m trying to make my web server to work with TLS 1.3 and nginx. My nginx is currently latest version and supports TLS 1.3 in the configuration, the CSR file was generated by Openssl 1.1.1. and this version supports TLS 1.3 too. But from my test on SSL Labs it always reported that my site doesn’t support TLS 1.3 and only TLS 1.2 and below. Can you please tell me if Let’s Encrypt provided certificates that support TLS 1.3 already?

Best Regards

Khai Hoan


#2

Yup - I’m doing exactly that, works fine.

Make sure you have TLSv1.3 listed under ssl_protocols, that nginx -V lists OpenSSL 1.1.1 or 1.1.1a-dev and your nginx version is high enough.

If you get that working, the SS Labs test will be able to see it.


#3

The certificates could be used with many protocols (even outside the tls1.x system and sslx system) and by many softwares (VPN, mail server etc…)

The issue is how you configure the web server to use certain protocols.

For some reason, only the ssllab test or command line(not chrome or ff) will show your version of tls1.3 (cloudflare tls1.3 is shown correctly)

Thanks


#4

The version of SSL/TLS used is separated from the certificate. In other words, the certificate doesn’t influence the TLS version on any way.


#5

I forgot to mention - you need to statically compile nginx against OpenSSL 1.1.1 yourself.

No Linux distro (as of this post) is yet packaging nginx built against anything higher than OpenSSL 1.1.0.

Even though nginx 1.15 technically understands the meaning of “TLSv1.3”, it can’t take advantage of it unless it is is linked against a high enough version of OpenSSL.

Notably, this applies to the latest versions of Debian, CentOS and Ubuntu.


#6

Yeah nothing to do with what SSL certs are used, TLS 1.3 is about having the right version of Nginx, OpenSSL 1.1.1 or BoringSSL and having the right supporting browser client that speaks the same TLS 1.3 version (draft 23, draft 28 or rfc final).

Which is specific version of Nginx you’re using ?

  • Nginx 1.15.3+ has full TLS 1.3 support with BoringSSL compiled but need ssl_protocols to also list TLSv1.3
  • Nginx 1.15.4+ has full TLS 1.3 support with OpenSSL 1.1.1 compiled but need ssl_protocols to also list TLSv1.3
ssl_protocols  TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;

Full TLS 1.3 meaning including Early Data session resumption (0-RTT)

My Centmin Mod LEMP stack built Nginx works fine with BoringSSL or OpenSSL 1.1.1 based TLS 1.3 rfc final version https://community.centminmod.com/threads/centmin-mod-nginx-http-2-https-tls-1-3-support.15537/ and I did backport BoringSSL to support TLS 1.3 draft 23, draft 28 and rfc final

For other folks Nginx and OpenSSL 1.1.1 you will only have TLS 1.3 rfc final supported which is same version SSL Labs is testing for when checking TLS 1.3 and same TLS 1.3 version support on test client/browser end i.e. Chrome 70 is using for TLS 1.3 rfc final.

You can check if your version of Nginx is compiled against OpenSSL 1.1.1 or BoringSSL via command

nginx -V

example my Centmin Mod Nginx 1.15.5 build with OpenSSL 1.1.1 on CentOS 7.5

nginx -V
nginx version: nginx/1.15.5 (141018-121711)
built by gcc 8.2.1 20181012 (GCC) 
built with OpenSSL 1.1.1  11 Sep 2018
TLS SNI support enabled

configure arguments: --with-ld-opt=’-Wl,-E -L/usr/local/zlib-cf/lib -L/usr/local/lib -ljemalloc -Wl,-z,relro -Wl,-rpath,/usr/local/zlib-cf/lib:/usr/local/lib’ --with-cc-opt=’-I/usr/local/zlib-cf/include -I/usr/local/include -m64 -march=native -DTCP_FASTOPEN=23 -g -O3 -fstack-protector-strong -flto -fuse-ld=gold --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wimplicit-fallthrough=0 -fcode-hoisting -Wno-cast-function-type -Wp,-D_FORTIFY_SOURCE=2 -Wno-deprecated-declarations’ --sbin-path=/usr/local/sbin/nginx --conf-path=/usr/local/nginx/conf/nginx.conf --build=141018-121711 --with-compat --with-http_stub_status_module --with-http_secure_link_module --with-http_flv_module --with-http_mp4_module --add-module=…/nginx-rtmp-module --add-dynamic-module=…/nginx-module-vts --with-libatomic --with-http_gzip_static_module --add-dynamic-module=…/ngx_brotli --with-http_sub_module --with-http_addition_module --with-http_image_filter_module=dynamic --with-http_geoip_module --with-stream_geoip_module --with-stream_realip_module --with-stream_ssl_preread_module --with-threads --with-stream=dynamic --with-stream_ssl_module --with-http_slice_module --with-http_realip_module --add-dynamic-module=…/ngx-fancyindex-0.4.2 --add-module=…/ngx_cache_purge-2.5 --add-dynamic-module=…/ngx_devel_kit-0.3.0 --add-dynamic-module=…/set-misc-nginx-module-0.32 --add-dynamic-module=…/echo-nginx-module-0.61 --add-module=…/redis2-nginx-module-0.15 --add-module=…/ngx_http_redis-0.3.7 --add-module=…/memc-nginx-module-0.18 --add-module=…/srcache-nginx-module-0.31 --add-dynamic-module=…/headers-more-nginx-module-0.33 --with-pcre-jit --with-http_ssl_module --with-http_v2_module --with-openssl=…/openssl-1.1.1 --with-openssl-opt=‘enable-ec_nistp_64_gcc_128 enable-tls1_3’


#7

I was unable to successfully compile OpenSSL 1.1.1 on Ubuntu 18.04
However, CentOS 7.5 worked like a charm.
Both were able to compile NGINX.

[root@localhost nginx]# nginx -V
nginx version: nginx/1.15.5 (CentOS)
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-28) (GCC)
built with OpenSSL 1.1.1 11 Sep 2018
TLS SNI support enabled


#8

OpenSSL 1.1.1 is now included in Ubuntu release 18.10
(released yesterday - October 18, 2018)
[Support will end in April 2019 (Six months from now) for 18.10]
But it seems like a much simpler solution… nothing to compile!
If you need TLSv1.3 and use Ubuntu: You could install/upgrade to version 18.10 which should be able to install NGINX and support TLSv1.3 right from the repos (apt-get install openssl nginx).
I may test an upgrade to 18.10 later and reply with any findings.
(when the repos allow for it - do-release-upgrade returning “No new release found.”)


#9

do-release-upgrade
returning “No new release found.

and
do-release-upgrade -d
returning “Upgrades to the development release are only available from the latest supported release.

lsb_release -a :
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 18.04.1 LTS
Release: 18.04
Codename: bionic

Seems you can only get to 18.10 from 18.04.5
But I’m unable to get to 18.04.5 from 18.04.1…
Oh well.


#10

For my server, I just compile Nginx with a external OpenSSL(1.1.1) library instead of update the system OpenSSL (to 1.1.1)…

Thank you


#11

You should give more detail to better understand your situation…

That was the first thing I tried; but it failed, and it continued to fail (in the exact same way) when I tried to compile OpenSSL 1.1.1 - so my trouble was with OpenSSL and Ubuntu 18.04.1…